The changing face of Password Management
By Nishant Kaushik on Oct 09, 2008
A college student was arraigned on Wednesday for allegedly breaking into Gov. Sarah Palin's private e-mail account last month. Political leanings aside, I read the news article with great interest for the inherent security implications. Reading it, this line jumped out at me:
The F.B.I. said that the younger Mr. Kernell allegedly hacked into the account in mid-September by resetting Gov. Palin’s password.
I obviously don't know the specifics of how the F.B.I. says the password was reset. But for the sake of our discussion, let's assume that the email system relied on a typical challenge response mechanism (currently the norm in most free email systems). The hacker obviously didn't know the password, but was able to reset the password to something of his/her choosing by successfully answering the challenge questions. In the age of Google, how hard is it to find out the the first school, the first car, the mother's maiden name or the pets name of a famous public personality like Sarah Palin?
As Bob Blakely likes to point out, there are no secrets any more therefore any system that relies on secrets is inherently flawed.
In a completely separate conversation, a colleague of mine sent me the following thought:
All the banks and merchants I do business with online have been increasing their level of security, especially with password complexity requirements. Historically I have limited all my passwords down to 3 based on the type of site so I had no need to write them down. Now because of all the different password complexity requirements, especially the password history requirement, I can no longer do that.... so I'm now forced to write them down :(
In some sick way, more security by merchants is now leading to worse security for me, the user. I'm forced back to the sticky note.
From the Good News/Bad News Department
The bad news in all this is that we seem to be going through a phase where additional mechanisms introduced to secure the systems in a user-friendly manner have actually exacerbated the problem because they rely on flawed assumptions. The above issues are clear illustrations of this. The mechanisms deployed (challenge response, password complexity requirements) would have been fine on their own for the system they are meant to protect. But these solutions did not anticipate how they would be impacted by the reality of their users online environment. The aggregation of multiple such systems for a user actually ends up degrading the effectiveness of these solutions, to the point where they end up becoming liabilities instead.
The good news is that new technologies and solutions are emerging that (hopefully) will address these problems. OpenID and Information Cards aim to rid us of the multiple password problem by promising a world of reduced sign-on built on trust. Identity assurance technologies (like the ones in Oracle's Identity Assurance Partner Alliance) provide safer, more reliable means to verify the interacting parties identity than traditional challenge response mechanisms, thus preventing the kind of attacks described above.
So better days are coming. The real challenge ahead of us is getting all involved parties (consumers, online enterprises, vendors) educated on how these solutions can be used to make our online lives more secure.